Confess 2013: OWASP Top 10 and Java EE security in practice

5,804 views

Published on

OWASP Top 10 and Java EE security in practice. Updated slides and presentation for Confess 2013

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
  • جمع بندي خيلي عالي بود. متشكرم
    و يك سوال خارج از موضوع : آيا در ايران سازمان و يا موسسه اي وجود دارد كه بتواند امنيت نسبي نرم افزار را بررسي و تاييد نمايد؟
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
5,804
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
167
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Confess 2013: OWASP Top 10 and Java EE security in practice

  1. 1. OWASP Top 10 and Java EE security in practice Masoud Kalali, @MasoudKalali Principal Software Engineer, ORACLE
  2. 2. Agenda• Introduction• The Top 10 Most Critical Web Application Security Risks• QA
  3. 3. Java EE 6 & GlassFish glassfish.org
  4. 4. Motivation for this talk• Seen a lot• Providing a starting point• Sharing something• Making you aware
  5. 5. The Top 10 Most Critical Web Application Security Risks A2: Broken A2: Broken A4: Insecure A4: Insecure Authentication and Authentication and A2: Cross-Site A2: Cross-Site A1: Injection A1: Injection Direct Object Direct Object Session Session Scripting (XSS) Scripting (XSS) Management References References Management A7: Missing A7: Missing A8: Cross-Site A8: Cross-Site A5: Security A5: Security A6: Sensitive Data A6: Sensitive Data Function Level Function Level Request Forgery Request ForgeryMisconfigurationMisconfiguration Exposure Exposure Access Control Access Control (CSRF) (CSRF) A9: Using A9: Using A10: Unvalidated A10: UnvalidatedComponents withComponents with Redirects and Redirects and Known Known Vulnerabilities Forwards Forwards Vulnerabilities Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)Aka OWASP Top-10* Source: http://owasptop10.googlecode.com
  6. 6. What is OWASP?• Open Web Application Security Project• Improving the security of (web) application software – Not-for-profit organization since 2001 – Raise interest in secure development• Documents – Top 10 – Cheat Sheets – Development Guides• Solutions – Enterprise Security API (ESAPI) – WebScarab – WebGoat
  7. 7. A1 - Injection
  8. 8. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnWhat is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Sending unintended data to applications• Manipulating and reading Data stores (e.g. DB, LDAP, File System, etc.)• Java EE 6 affected: – UI technology of choice – Database access (JPA, JDBC) – File System API – etc.
  9. 9. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnHow to spot it! graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsdsString customerId= request.getParameter("customerId") String query = "SELECT balance FROM customer_data WHERE customer_id = " + customerId; try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); }String customerId = "x; DROP TABLE members; --"; // user-input
  10. 10. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnPrevent Injection graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Sanitize the input• Escape/Quotesafe the input, e.g. use ESAPI• Use bound parameters (the PREPARED statement)• Limit database permissions and segregate users• Configure error reporting, e.g use OWASP LAPSE+ Static Code Analysis Tool
  11. 11. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnPrevent Injection, Sample graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsdsString customerId = request.getParameter("customerId");//white list validation and encodingString escapedCustomerId= ESAPI.encoder().encodeForSQL( new OracleCodec(),customerId );String query = "SELECT balance FROM customer_data WHERE customer_id = " + escapedCustomerId;...//ORString query = "SELECT balance FROM customer_data WHERE customer_id = ? ";//using pstmt or stmt with encoded/validate input parametersPreparedStatement pstmt = connection.prepareStatement( query );pstmt.setString( 1, customerId);ResultSet results = pstmt.executeQuery( );
  12. 12. A2 - Broken Authentication and Session
  13. 13. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnWhat is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Container Security vs. own solution• Session Binding / Session Renewal• Passwords – Strength (length/complexity) – Plain text passwords (http/https) – Recovery mechanisms• Number of factors used for authentication• Java EE 6 affected: – JAAS / JASPIC – Filter / PhaseListener – Container and Web-App configuration
  14. 14. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnHow to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Authentication over http• Custom security filter• Not using Container Functionality• No password strength requirements• No HttpSession binding• Way of saving Passwords• Not testing security
  15. 15. A2: A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and Site Direct A9: A10: re A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Object stst dated MisconRefere Restric n nBest Practices graphi (XSS) Miscon Refere ient ient dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forger Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Use Container Managed Security!• Go with provided Standard Realms and LoginModules whenever possible• Invalidate session and all relevant bits when logged out• If you need custom ones: Test them extremely carefully!• Use transport layer encryption (TLS/SSL) for authentication, credentials transport• Review and adopt OWASP’s ASVS(Application Security Verification Standard)
  16. 16. A3 - Cross-Site Scripting (XSS)
  17. 17. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and A10: Site Direct re A9: A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Objec Restric n n RefereststWhat is it? graphi (XSS) Miscon Refere ient ient dated Miscon dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forge Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Inject malicious code into user interfaces• Get access to browser information – E.g. javascript:alert(document.cookie)• Steal user’s session, steal sensitive data• Rewrite web page or parts• Redirect user to phishing or malware site• Java EE 6 affected: – UI technology of choice (e.g. JSF, JSP)
  18. 18. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnHow to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Anywhere that untrusted data is used as one of the following in outgoing response: – HTML element’s attributes – JavaScript variables – CSS values – Etc. (String) page += "<input name=creditcard type=TEXT‘ value=" + request.getParameter("CC") + ">";
  19. 19. A5: Authen Insecu A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and Direct Injectio Scripti Securit Site A9: Failure and Site Direct A9: A10: re A10: nre Scripti SecuritReque toto Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng InsufficRestric ng yy Object stst dated MisconRefere Restric n n graphi (XSS) Miscon Refere ientPrevent ient dated graphi t URL Manag Forger (XSS) t URL figurati nces Manag Forger Transp Redire figurati cc nces Transp Acces Redire yy ement Storag Acces ement Storag cts ortort cts on on (CSRF ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Sanitize the input. E.g. use OWASP AntiSamy or OWASP Java HTML Sanitizer, etc.• Escape untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL)• Use Cookie flags: – httpOnly (prevents XSS access)
  20. 20. A4 – Insecure Direct Object References
  21. 21. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnWhat is it? graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Exposing secure objects without defense.• Accessing domain objects with their PK. E.g. https://you.com/user/1 => https://you.com/user/21• Opening opportunities for intruders• Information hiding on the client• Parameter value tampering• Java EE 6 affected: – All layers – Especially data access
  22. 22. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnHow to spot it graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Direct user input to object mapping• No verification on user input (defenseless)• Data separation for users (tenants)• Request mode access for data (RUD)• Query constraints
  23. 23. A2:A2: Authen Insecu A5: A5: A8: Cross- Authen Insecu A8: Cross-tication Cross A1: A7: A1: Site re A7: tication Cross re Insecu Insecu Site A6: A6: Injectio Failure and A9: Failure and Site Injectio Scripti Securit Direct A10: Site Direct re A9: A10: nre Scripti SecuritReque to Insuffic Unvali Sessio Object Crypto Unvali Sessio Reque n Crypto ng to InsufficRestric ng yy Object stst RestricMiscon Refere nnBest Practices graphi (XSS) Miscon Refere ient ient dated dated graphi t URL Manag Forger (XSS) Transp Redire figurati nces cc t URL Manag Forger Transp Acces figurati y Redire nces ement Storag Acces ement Storag cts ortort cts onon (CSRF y ss (CSRF Layer Layer and ee and )) Protect Forwar Protect Forwar ionion dsds• Use AccessReferenceMaps http://app?file=Report123.xls http://app?file=1 http://app?id=9182374 http://app?id=7d3J93• Use data-driven security• Validate object references• Always Perform additional data authorization on the view
  24. 24. A5 - Security Misconfiguration
  25. 25. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nnWhat is it? ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds• Applies to – Operating System – Application Server – Databases – Additional Services – Frameworks – Developed Code – Etc.• Includes (beside _many_ others) – All security relevant configuration – Missing Patches – Default accounts
  26. 26. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nnWorst Practices ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds• Network interfaces/sockets access control• Relaxed File system access control• Using any defaults like: – Passwords: Admin, master password – Network interface binding: Listening on 0.0.0.0 – Certificates: Self signed certificate• Using a not hardened OS!• Not using segregated user for the service• Not restricting GlassFish/Server component specific user nor enabling security manager
  27. 27. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nnPolicy Files location ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds• Global Policy File: java.home/jre/lib/security/java.policy• User Policy File: user.home/.java.policy• Domain Policy File: domain.home/config/server.policy• Application Policy File: domain.home/generated/policy/<app.name>/ <module.name>/granted.policy
  28. 28. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site A9:Site Scripti Insecu Direct InjectioSecurit Failure Direct and A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nnReview the *.policy files ient Miscon Restric dated ient (XSS) dated Refere Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort (CSRFort cts Acces Storag cts onon Acces Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds• Policy files precedence order• Remove unused grants• Add extra permissions only to applications or modules that require them, not to all applications deployed to a domain.• Document your changes!
  29. 29. A2: A2: A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site and A7: Injectio A10: Failure Insecu Site Site Scripti Insecu Direct InjectioSecurit Failure Direct andRunning GlassFish in a A9:A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto Restric Refere nn Refere ient Miscon Restric dated ient (XSS) dated Forger Miscon tManag graphi (XSS) graphi Transp Redire Manag nces Forger Redire t URL nces Transp figurati URL figuratiement cc yy ement ort ort cts Acces Storag cts on AccesSecure Environment (CSRF on Storag (CSRF and Layer ss Layer )) and ee Protect Forwar Protect Forwar ion ion dsds• Use the latest version (3.1.2.2)• Enable secure admin (TLS/https)• Use password aliasing• Enable security manager and put forth a proper security policy file designhttp://blog.eisele.net/2011/05/securing-your-glassfish-hardening-guide.htmlhttp://docs.oracle.com/cd/E18930_01/html/821-2435/gkscr.html
  30. 30. A6 - Sensitive Data Exposure
  31. 31. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) datedWhat is it? Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds• Sensitive data kept unprotected• Sensitive data exposed to wrong persons• Could be: – Passwords – Financial/Health care data – Credit cards
  32. 32. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) datedWorst Practices Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds• Storing sensitive data unencrypted• Storing comparative data unhashed (passwords/security question answer…)• Keeping clear text copies of encrypted data• Not keeping the keys/passwords well guarded• caching/autocomplete on pages with sensitive data
  33. 33. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) datedWorst Practice Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds• Using basic/form authentication without SSL• Not using HTTPS for pages with private information• Using default self signed certificate• Storing unencrypted cookies• Not setting cookies to be securely transmitted Cookie.setSecure(true)• Forgetting about the rest of the infrastructure
  34. 34. A5: A5: Cross- Authen Insecu Authen Insecu Cross Cross-tication A8: A1: Cross Site A1: tication re A7: A8: re A6: A6: Site A7: Injectio A10: Failure Insecu Site A9:Site Securit and and Insecu Direct Injectio Scripti Failure Direct A9: A10: Reque Securit Sessio Object Scripti rere Insuffic Unvali Sessio Object nn Reque ng Insuffic Unvali toto Crypto yy ng stst Crypto ient Miscon Restric Refere dated nn Refere (XSS) Restric graphi ient (XSS) datedPrevention Forger Miscon tManag graphi Transp Redire Manag nces Forger figurati URL Transp Redire t URL nces figuratiement cc y orty ort onon ement cts Acces Storag cts Acces (CSRF (CSRF and ss Storag Layer Layer and ee )) Protect Forwar Protect Forwar ion ion dsds• Identify sensitive data• Wisely encrypt sensitive data – On every level (application, appserver, db) – with the right algorithm, as strong as possible but not more! – with the right mechanism, e.g scrypt and bcrypt• Don’t keep clear text copies• To decrypt and view clear text should be restricted to authorized personnel• Keep the keys as protected as possible• Keep offsite encrypted backups in addition to on-site copies

×